The European Commission (EC) has issued a notice reminding stakeholders that due to the UK’s intention to leave the EU, they will be considered a ‘third country’ for the purposes of data transfers from 10 March 2019 (available here).
Data transfers to third countries outside the EEA are prohibited unless the European Commission has issued an adequacy decision approving that third country as providing an adequate level of protection, or the controller or processor has put in place appropriate safeguards, such as the standard data protection clauses (otherwise known as the ‘Model Clauses’) or binding corporate rules for intra-group data transfers, or one of the other derogations apply. The GDPR also provides for additional transfer mechanisms, including approved codes of conduct and certification mechanisms whereby a controller or processor located in the third country makes binding and enforceable data protection commitments.
The EC notes that a potential outcome of the negotiations on the UK’s withdrawal from the EU, is that the UK could achieve an adequacy decision by the EC, which would allow personal data to flow from an EU data exporter to the UK without any additional safeguards being implemented. The UK Data Protection Minister, Matt Hancock, has reportedly stated that an adequacy decision is one of his aims in the Brexit negotiations, but it is too soon to tell whether this is achievable.
The EC has announced that it has set up stakeholder group consisting of industry, civil society and academics, which will discuss this topic in further detail. The EC has published a position paper on the use of data and protection of information obtained or processed before the withdrawal date which is available here.